The present invention relates generally to Android based mobile devices, and more particularly, to a method for scalable analysis of Android applications for security vulnerability.
Android as an open smartphone platform has gain tremendous popularity in recent years. According to Google, Android has reached 100 million activations all over the world. There are more than 200K applications in the official Android Market and even more in the alternative markets.
The Android applications have been installed on more than 4.5 billion onto mobile devices as of May 2011. Since the applications access critical data from users, it is important to keep the user and their apps safe. How to identify security vulnerability, information leakage and malware in those applications is a mission critical problem for smartphone carriers and hardware vendors.
Existing approaches to security vulnerability in Android systems largely focus on malware detection, but do not provide a comprehensive solution that can detect security vulnerability and information leakage simultaneously. Moreover, these existing approaches leverage on some heuristics based on some characteristics appearing in today's malware. It remains unknown whether these existing approaches can detect future malware as well. One approach leverages dynamic taint analysis for privacy leakage detection. This scheme heavily modifies the underlying OS and has high overhead. It is also hard for end-users to incorporate this approach to their smartphones. Decompiliation based approaches decompile the applications back to its source code for static analysis. These approaches have potentially legal issues since the license of the applications may not allow decompilation. Moreover, the decompilation approaches also suffer from high computation overhead and low accuracy. Another prior work identifies the permission re-delegation attacks semi-manually and proposes defense mechanism for the attacks. There is still lack of a systematic approach to detect different types of vulnerabilities with the approach of this prior work.
Accordingly, there is a need for a method for scalable analysis of Android applications for security vulnerability.